Saturday, April 28, 2007

I didn't notice that my research honeypot has its partition full when collecting malwares, hence it generates a lot of malware files with 0 size as there's no room for it. Since I have all of them collected under /var/nepenthes/binaries, I just execute the command below to delete all of the files with 0 size -

I think I will need to write a script to automate the process, by moving all the files under this directory to another partition when /var partition is full or else I will need to do it manually which wasting my time.

Sometimes it is fun to poke with shell commands especially dealing a tricky one, to rename all the files in the directory with the prefix of '-' so that '-' get discarded, you can try the command below.

Friday, April 27, 2007

I never really notice about this until today, I think OpenBSD has done a lot of modifications on tcpdump, privilege dropping is just one of the feature, you can check out all the change logs of OpenBSD to date here -

It is making use of p0f database but only perform the fingerprinting on tcp packet with syn flag set(In fact p0f is more powerful as it works with packets with other flags as well). Anyway tcpdump should be able to give you a quick glance of the remote operating sytem that trying to probe to you.

Kudos to OpenBSD team about it. By the way, I bet you all can't wait for this -

Saturday, April 21, 2007

Yeah, there are people asking me about the progress of my book - Network Security Analyst: The Handbook.

My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won't make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can't have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe -

Network Security Analyst: The RoadMapWhat are good foundations and technical knowledge that should be acquired to become good network security analyst? I hope The RoadMap can answer question like that, until now I haven 't seen any books discussing about this topic yet.

Network Security Analyst: The WorkFlowsWhat are the methodologies and mechanisms that are used by network security analyst to handle their tasks? The routine daily tasks, the automated and manual process of performing analysis, situation handling and so forth.

This is more of how to think or work like a network security analyst. I will try to standardize the common work flows but you are free to extend it to your own way.

Network Security Analyst: The ToolsWhat are the tools that are commonly used by Network Security Analyst and how they use them? I believe this part should be demonstrating the NSM based tools usage, one should understand this is not the real meat of network security analyst, this is more of helper section to show various examples in using the network security tools. This section will usually be updated as I will import it from my blog and modify it to be more organized and readable. I suggest you read this book to get yourself ready when comes to using most of network security tools -

I truly believe that learning to use tools itself won't make you a good analyst, the right thing to do should be study on how to interpret the results that generated by the tools, this is always not been emphasized but I would see most of analysts will agree with me.

This will load up few incident scenarios and how Network Security Analyst starts his analysis process, examination, escalation and confirmation to decision making. This will make a good round up of what have been studied from previous three sections, and applying it to the real world scenario. One of the site that I suggest you look at should be -

All the sections are actually correlated, everyone are welcomed to give me suggestions and inputs, what do you think? I don't have skill to write, but no one can stop me from writing anyway.

P/S: For the book, ayoi will be one of the contributor. I would love to spare my time to develop Network Security Analyst LiveCD(we called it raWPacket LiveCD) using freesbie and ship it together with the release of the book, time is always constraint. However I'm glad that I have chfl4gs with me now in developing the liveCD. Stay tuned!!!!!

Btw, I'm looking for non-paid editor(this is free ebook) as I don't know good english. If you would like to help, please let me know.

When dealing with passive ftp instead of active ftp, I used to examine the network traffics manually especially to reconstruct all the data channels as it initials ephemeral ports(usually ports > 1024) for both client and server end dynamically and not like active ftp where fix port(20) is used at server side. After looking into how passive ftp actually works(for both over ipv4 and ipv6 and ftp server implementations), I decided to write a bash shell script to extract all the passive ftp data channel for the ftp flow from argus data. Again if you read my paper that I have used argus for botnet detection, this shell script will make use of argus client tools - ragrep again to extract all the necessary flow and its associated data channel. Here's the interesting result when I execute my script - argus-PASVFTP.sh.

Works on ftp over IPv6 too, the ftp data channels are 64534, 60801 and 60199.

You can now running argus client tool(ra) to locate all the passive ftp flows by filtering those ports. Though I have only tested this script on FreeBSD and Gentoo Linux, it should work on other *nixes platform flawlessly as long as you have bash shell and argus clients installed. Again here I demonstrate the interesting example of using argus client tools.

Thanks to Richard for his ipv6 pcap file that he has sent me or else I won't be able to examine ftp over IPv6 lately.

I plan to include this script in the liveCD that we(me and chfl4gs) are developing actively, if any of you are interested to have fun with the script, feel free to let me know.

Yes, I advocate open source. I support anyone who really want to push on open source stuffs. But I'm not doing enough as I don't involve in open source development or coding part. But do you really need to be almighty programmer in order to involve in open source movement? I bet not, there are many ways to promote open source. I believe every little piece of support and effort is important, whether you are testing the software, submit bug, writing documentation or etc.

My friend surface took different approach, he decided to promote open source usage by examples, and now it seems the site growing and there are many tips and tricks that are very useful. You can check it out at -

Thursday, April 19, 2007

I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi's work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I'm more of looking into argus flow data. Here's very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.

Tuesday, April 17, 2007

I'm looking into ourmon as it seems to be very powerful tool when building network baselining, anomaly detection and so forth, I have found that there's ourmon port available on FreeBSD which is version 2.5, after looking around with google. I got to know that Ourmon developers have updated the ourmon port for FreeBSD to version 2.7, since I don't want to touch anything on port as I'm using release for the moment and I'm lazy, I decide to download the port manually where you can find here -

Everything is built properly, and it comes to this configuration part -

Next we determine the ourmon config/filter file to use. By default, we use the local /usr/local/mrourmon/etc/ourmon.conf to provide input filters to ourmon. WARNING: you should read/edit/understand ourmon.conf!Do you want to use another ourmon.conf file in some other directory than /usr/local/mrourmon/etc? [n]

Next we suggest one modification to the ourmon.conf file.

If this is a default install, you should change the following config directive:

topn_syn_homeip network/netmask

and set it to your home network and mask (A.B.C.D/maskbits style) Do you want to change the topn_syn home network address? [y] ynote: the home net address may be a subnet or host address (/32).enter a home net address and mask. [127.0.0.1/32] 192.168.0.0/24netmask: 192.168.0.0/24

Do you want to install the ourmon startup script in the ourmon bin? [y]WARNING: the default for the interface may not be what you want.WARNING: use #ifconfig -a to determine interfaces.Please enter the input interface name to sniff from: [xl0]input interface is xl0

Now we copy supplied .html files to the web directory for later editingdo you want to copy base web files to the web directory? [y]

INFO only: setting up local rrdbase directory at /usr/local/mrourmon/rrddata your runtime rrds get stored in this directory, along with the rrd error log fileif you create new BPF filters, check rrdbase/ourmon.log for errors.hit CR to continue:

We need a UDP weight threshold for UDP scan alertswhat should the weight be (default is given): [10000000]

Now I have ourmon running, this is pretty simple setup as I don't even look at the web setup, I'm looking forward to tune on the bpf and other related configurations when I have time to look into it.

In fact one of the good reason why I look at ourmon is because I want to make the comparison between ourmon and argus as both are open source based and maybe able to construct the similar idea using argus instead as it is currently heavily used by me. Seriously I would love if someone who have good experience with arbor and other commercial products that doing network flow analysis can tell me more about it since I have no chance to use them.

Anyway I plan to buy this book as it's the only book that introducing ourmon -

Monday, April 16, 2007

This is for my own note as I can't really remember everything in argus. It is definitely a beast as it needs some tinkering to fully understand how it works and getting the output you need. Anyway I just blog it here in case someone interested.

Ragraph is one of argus clients to create graph out of argus data, in fact argus comes with a lot of client tools that are very powerful, all the client tools are easy to use but hard to master. The 'Hard to Master' part really kills a lot of people including me.

Here's the graph that showing dns traffics, for both source and destination bytes. You may notice that changing the time mode makes huge different. The first graph with -M 1s shows the data in second and therefore it looks more detail, the second graph is generated using -M 1m which is 1 minute and therefore it looks more coarser as it spans to 1 minute time data. I first saw this kind of graph generated in argus site and not really understand it until I tried it myself.

Saturday, April 14, 2007

There are few tools that I would like to try out but it is only available on Windows platform. Guess I need to install Windows in VMware for testing. I haven't really touch anything on Windows lately except for Windows Server 2003. Anyway here are the lists of tools that seems to be interesting to me -

I'm not promoting Windows OS here, but most of the tools here are freely available and open source and it makes no harm to try them out. Anyway if you have experiences in any of these tools, I would like to hear some feedbacks from you as I'm in the lazy moods to try them out.

Wednesday, April 11, 2007

Thanks to my friend who has sent me this link, it is about the survey that has been done by Symantec Malaysia. It has stated that 96% of the computers are zombies. I'm wondering whether they are trying to generate fears so that more people will buy their anti-virus solution or this is true, I'm probably happy to see we are top 7 in the list since that really shows Malaysia Can spirit.

Another interesting result from them should be 84 percent of emails from Malaysia are classified as spam, I'm really curious of how they are able to identify this portion as there's no perfect solution to identify or classify email with unsolicited intentions. Plus they are actually setting up decoy emails(honeypot alike) for this kind of identification which I don't think it can be any accurate.

"This and the high number of zombie machines in Malaysia is tarnishing the country's image". This is way too much of emphasizes, they are playing a big blames on the users, and most of the users not even know what is happening out there. They are just using the internet for surfing, doing some transactions and so forth.

"It said copies of pirated software sometimes contained trojans and other hidden malicious programs, and these are surreptitiously planted into computer systems when users installed the software". This is not the case, in my opinion as most of the users in Malaysia are using pirated softwares, it leads to a more of vulnerabilities in the applications softwares and operating systems itself as they can't patch it since they are not using the licensed or commercial version. That's what most malicious attackers targeting over the networks instead of just distribute it via the softwares/pirated CD that they buy which is more of blind attacks.

"An antivirus program is not enough, said Symantec. Users need a security solution that combines antivirus, firewall and intrusion detection capabilities". Okay, it is still back to the marketing sense, I expected that. But the truth is users are still vulnerable even with all those solutions been utilized, malicious attackers are way smarter to bypass most of them. You are trying to reduce the risk for users, however that won't work once internet browsers itself becoming victim as well. Combining with some social engineering tricks, users tend to be fooled without them knowing. And some of them just gotcha from USB thumb drives.

"Computer users should also be careful about disclosing confidential, personal or financial information online unless they know that the request for such is legitimate, cautioned Symantec". I doubt users will listen to this, this reminds me the presentation from Mikko - Education usually won't work.

Enough rant for now, thanks to Symantec for doing this kind of survey.

Marty has recently released snort 3.0 pre alpha version, I'm curious to see what has been implemented in it so far, it should be worth to spend some times looking into it. To get snort 3.0 to installed on FreeBSD, it is kind of quicky.

Thursday, April 05, 2007

I haven't have time to update my blog till today, the first two day before Conference, I was running a training with mel in Dubai, interestingly I have mix kind of people in my training class. I met guys from US Army and they are really cool folks, and most of people in the class are involved in network security field and that makes it more easy to run and involved.

Anyway the training was over, so the first day of conference topics cover various kind of areas. The keynote speech from Mikko(F-Secure) was decent, he has demonstrated F-Secure technology and how the online criminals can be operated via different kind of technologies and tricks around, I haven't really get into all the other talks but those should be interesting to listen to, I plan to download the presentation videos instead and watch it when I'm free. Anyway we have Capture The Flags Game going on simultaneously, there are totally 7 levels in the game and unfortunately no one has cracked the 0 level in the first but we think this is kind of fun. The game has nothing to do with network hacking but more on reverse engineering, looking for bugs in application(buffer/heap overflow, format strings and so forth), all the binaries will soon be published and anyone are welcomed to have fun with it.

The second day of conference started by the keynote speech from Lance Spitzner(if you don't know this guy and apparently you are not into information security world), he talked about honeypot technology. Another talk that I have listened to is Kernel Hacking: If I really know I can hack from Hc2c guys, Rodrigo Rubira Branco and Domingo Montanaro are really cool folks and both of them talked about Kernel IDS stuff, I got chance to talk with them and they are pretty interested in our CTF game as well. I'm looking forward to go to HC2Conference in Brazil if possible.

The CTF games end up without winners as no one has broken 4 levels in the game, however I guess this is good learning experience for everyone and thanks to all the participants and hopefully they have fun. Credits go to Mel, xWings and Rd who making the game happened.